Technical information
Malicious functions:
Executes code of the following detected threats:
- Adware.Uapush.1.origin
Accesses the ITelephony private interface.
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) c####.baidust####.com:80
- TCP(HTTP/1.1) scs.opensp####.cn:80
- TCP(HTTP/1.1) h####.opensp####.cn:80
- TCP(HTTP/1.1) ana####.wea####.com.cn:80
- TCP(HTTP/1.1) www.a.sh####.com:80
- TCP(HTTP/1.1) s####.jom####.com:80
- TCP(HTTP/1.1) fc####.b####.com:80
- TCP(HTTP/1.1) mc.wea####.com.cn:80
- TCP(HTTP/1.1) d####.opensp####.cn:80
- TCP(HTTP/1.1) ch####.jom####.com:80
- TCP(HTTP/1.1) se####.b####.com:80
- TCP(HTTP/1.1) pos.b####.com:80
- TCP(HTTP/1.1) wx.wea####.com.####.com:80
- TCP(HTTP/1.1) opencdn####.jom####.com:80
- TCP(HTTP/1.1) a####.u####.com:80
- TCP(HTTP/1.1) si####.jom####.com:80
- TCP(HTTP/1.1) nsc####.b####.com:80
- TCP(HTTP/1.1) loc.map.b####.com:80
- TCP(HTTP/1.1) ec####.b####.com:80
- TCP(HTTP/1.1) re####.o####.cn:80
- TCP(HTTP/1.1) wap.n.sh####.com:80
- TCP(HTTP/1.1) t####.jom####.com:80
- TCP(HTTP/1.1) m.wea####.com.cn:80
- TCP(HTTP/1.1) ssls####.jom####.com:80
- TCP(TLS/1.0) x####.tc.qq.com:443
- TCP(TLS/1.0) pr.m####.qq.com:443
- TCP(TLS/1.0) mbdchu####.n.sh####.com:443
- TCP(TLS/1.0) 1####.217.168.238:443
- TCP(TLS/1.0) ana####.wea####.com.cn:443
- TCP(TLS/1.0) www.a.sh####.com:443
- TCP(TLS/1.0) c.c####.com:443
- TCP(TLS/1.0) wx.wea####.com.####.com:443
- TCP(TLS/1.0) hm.b####.com:443
- TCP(TLS/1.0) m.wea####.com.cn:443
- TCP(TLS/1.0) m####.qq.com:443
- TCP(TLS/1.0) cambria####.cdn.bc####.####.com:443
DNS requests:
- 3####.qq.com
- a####.map.qq.com
- a####.u####.com
- a####.weath####.com
- ana####.wea####.com.cn
- api.s####.b####.com
- au.u####.com
- b####.s####.b####.com
- b####.weath####.com
- ba####.wea####.com.cn
- bj.wea####.com.cn
- c####.baidu####.cn
- c####.baidust####.com
- cambria####.cdn.bc####.com
- cfg.ads####.com
- cfg.ads####.mobi
- cfg.ads####.net
- cfg.ads####.org
- d####.opensp####.cn
- d1.wea####.com.cn
- d4.wea####.com.cn
- d7.wea####.com.cn
- e.wea####.com.cn
- ec####.b####.com
- ext.b####.com
- fc####.b####.com
- g####.bdst####.com
- g0.b####.com
- h####.opensp####.cn
- hm.b####.com
- i.t####.com.cn
- i.wea####.com.cn
- loc.map.b####.com
- m####.qq.com
- m.b####.com
- m.wea####.com.cn
- mc.wea####.com.cn
- n####.batbro####.com
- nsc####.b####.com
- pos.b####.com
- pr.m####.qq.com
- re####.o####.cn
- s.bdst####.com
- s23.c####.com
- scs.opensp####.cn
- se####.b####.com
- sp1.b####.com
- t10.b####.com
- t11.b####.com
- t12.b####.com
- t8.b####.com
- t9.b####.com
- wx.wea####.com.cn
HTTP GET requests:
- ana####.wea####.com.cn/images/mobile/mtqtj/2019/02/25/20190225154727D6C6...
- ana####.wea####.com.cn/images/mobile/mtqtj/2019/02/25/20190225164030200B...
- ana####.wea####.com.cn/images/mobile/mtqtj/2019/02/27/20190227094319A1AF...
- ana####.wea####.com.cn/images/mobile/mtqtj/2019/02/27/20190227160022EAF6...
- c####.baidust####.com/cpro/ui/pr.js
- ch####.jom####.com/it/u=1685742584,3874390185&fm=190&app=7&size=r3,2&n=0...
- ch####.jom####.com/it/u=2741443712,1297582580&fm=190&app=7&size=r3,2&n=0...
- ch####.jom####.com/it/u=3592028926,3829684239&fm=190&app=7&size=r3,2&n=0...
- ec####.b####.com/rs.jpg?type=####&key=####&rdm=####
- ec####.b####.com/rs.jpg?type=####&rdm=####
- fc####.b####.com/w.gif?baiduid=####&asp_time=####&query=####&queryUtf8=#...
- h####.opensp####.cn/launchconfig?t=####&p=####
- m.wea####.com.cn/i/wap/headpic/i_back.png
- m.wea####.com.cn/i/wap/headpic/i_dot.png
- m.wea####.com.cn/i/wap/headpic/i_share.png
- m.wea####.com.cn/i/wap/headpic/logo_zero.png
- m.wea####.com.cn/js/v1/wa.js?site_id=####
- m.wea####.com.cn/mweather/101010100.shtml
- mc.wea####.com.cn/fzdhodg.js
- mc.wea####.com.cn/production/openjs/3z1zh.js?j=####
- mc.wea####.com.cn/site/production/ifx8k.js?id=####
- mc.wea####.com.cn/source/openjs/production/tfl1.js?tognxxkx=####
- mc.wea####.com.cn/source/res/g7avc.js?faszzjg=####
- nsc####.b####.com/v.gif?pid=####&type=####&sign=####&desturl=####&linkid...
- opencdn####.jom####.com/mms/graph/static/resource/sdk/v1.11.12/mms-wise.js
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&psi=####&ant=####&cfv...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&psi=####&cfv=####&ti=...
- pos.b####.com/s?hei=####&wid=####&di=####<u=####&psi=####&cpl=####&chi...
- re####.o####.cn/www/gtr/asyncjs.php
- re####.o####.cn/www/gtr/asyncspc.php?zones=####&prefix=####&loc=####
- s####.jom####.com/static/api/css/share_style0_32.css?v=####
- s####.jom####.com/static/api/js/base/tangram.js?v=####
- s####.jom####.com/static/api/js/share.js?v=89860593.js?cdnversion=####
- s####.jom####.com/static/api/js/share/api_base.js
- s####.jom####.com/static/api/js/share/share_api.js?v=####
- s####.jom####.com/static/api/js/trans/logger.js?v=####
- s####.jom####.com/static/api/js/view/share_view.js?v=####
- s####.jom####.com/static/api/js/view/view_base.js
- s####.jom####.com/v.gif
- se####.b####.com/mwb.gif?type=####&fm=####&data=####&qid=####&did=####&q...
- se####.b####.com/mwb.gif?type=####&fm=####&data=[{####&qid=####&did=####...
- se####.b####.com/mwb2.gif?pid=####&lid=####&ts=####&type=####&info=####&...
- se####.b####.com/webb.gif?pid=####&lid=####&ts=####&type=####&info=####&...
- si####.jom####.com/common/openjs/openBox.js?_v=####
- si####.jom####.com/it/u=1735705228,2864933400&fm=58
- si####.jom####.com/it/u=2232496690,1963804135&fm=58
- si####.jom####.com/it/u=3040470395,1806429572&fm=58
- si####.jom####.com/it/u=3157013161,1755092035&fm=58
- si####.jom####.com/it/u=3218568124,2005984549&fm=58
- si####.jom####.com/it/u=3276428396,2098109788&fm=58
- si####.jom####.com/it/u=3315439263,2082618297&fm=58
- si####.jom####.com/it/u=3355279612,1940172559&fm=58
- si####.jom####.com/it/u=3380400507,2023769886&fm=58
- si####.jom####.com/it/u=4031998475,4038165370&fm=58
- si####.jom####.com/it/u=4077002248,1944344631&fm=58
- si####.jom####.com/it/u=4090094956,3674388176&fm=58
- si####.jom####.com/it/u=4115718665,2233212344&fm=58
- si####.jom####.com/it/u=4142246125,2102926728&fm=58
- si####.jom####.com/it/u=487940383,2613893001&fm=58
- si####.jom####.com/it/u=637360004,1220028889&fm=179&app=42&f=JPEG?w=####...
- si####.jom####.com/it/u=698183260,3815288459&fm=58
- ssls####.jom####.com/5foUcz3n1MgCo2Kml5_Y_D3/graph/static/resource/sdk/m...
- t####.jom####.com/timg?wisealaddin&size=f530_350&quality=100&sec=1551353...
- wap.n.sh####.com/from=381b/s?word=####&sa=####&ts=####&t_kt=####&ie=####...
- wap.n.sh####.com/rec?platform=####&ms=####&lsAble=####&rset=####&word=##...
- wap.n.sh####.com/s?ref=####&st=####&tn=####&from=####&word=####
- wap.n.sh####.com/se/static/ala_atom/app/realtime/bundle_4416b90.js
- wap.n.sh####.com/se/static/ala_atom/app/recommend_list/bundle_2652849.js
- wap.n.sh####.com/se/static/ala_atom/app/sd_imgs/bundle_83abaea.js
- wap.n.sh####.com/se/static/ala_atom/app/sigma_celebrity_rela/bundle_6826...
- wap.n.sh####.com/se/static/amd_modules/@baidu/better-scroll_5c22848.js
- wap.n.sh####.com/se/static/amd_modules/@baidu/fusion-components/dist/b-s...
- wap.n.sh####.com/se/static/amd_modules/@baidu/fusion-components/dist/b-t...
- wap.n.sh####.com/se/static/amd_modules/@baidu/fusion-components/dist/dep...
- wap.n.sh####.com/se/static/amd_modules/@baidu/web-animations-js_1c591d9.js
- wap.n.sh####.com/se/static/atom/search-ui/v2/Tombstone/ImgTombstone.css_...
- wap.n.sh####.com/se/static/atom/search-ui/v2/core_7ec4247.js
- wap.n.sh####.com/se/static/atom/search-ui/v2/enhance_958e60a.js
- wap.n.sh####.com/se/static/atom/search-ui/v2/few_bc665ce.js
- wap.n.sh####.com/se/static/font/pmd/cicon_7bd7f11.ttf
- wap.n.sh####.com/se/static/img/iphone/favicon64.ico
- wap.n.sh####.com/se/static/img/iphone/input_bearicon.png
- wap.n.sh####.com/se/static/img/iphone/logo_web.png
- wap.n.sh####.com/se/static/js/bundles/ala-util_c91ecd5.js
- wap.n.sh####.com/se/static/js/bundles/atom_44405ae.js
- wap.n.sh####.com/se/static/js/bundles/performance_3d792a5.js
- wap.n.sh####.com/se/static/js/dep/fingerprint2.min_c6eb516.js
- wap.n.sh####.com/se/static/js/log/exp_db2b53e.js
- wap.n.sh####.com/se/static/js/log/taiji_behavior_84e8fa7.js
- wap.n.sh####.com/se/static/js/log/taiji_device_e2f4d3c.js
- wap.n.sh####.com/se/static/js/modules/advanced_filter/advanced_filter_b0...
- wap.n.sh####.com/se/static/js/modules/baiduappFixedButton_4edbe08.js
- wap.n.sh####.com/se/static/js/modules/device_data_dep/h5_support_info_4f...
- wap.n.sh####.com/se/static/js/modules/device_data_dep/murmur3_e901bf7.js
- wap.n.sh####.com/se/static/js/modules/device_data_dep/support_fonts_ac84...
- wap.n.sh####.com/se/static/js/modules/device_data_dep/zoom_info_abaf8bb.js
- wap.n.sh####.com/se/static/js/modules/doodle_a62dc29.js
- wap.n.sh####.com/se/static/js/modules/invoke/fnProvider_f7cfe6c.js
- wap.n.sh####.com/se/static/js/modules/invoke/recInvokeBox_8113988.js
- wap.n.sh####.com/se/static/js/modules/invoke/serverDataFactory_690a36e.js
- wap.n.sh####.com/se/static/js/modules/invoke/setInvokeCookie_839ea4d.js
- wap.n.sh####.com/se/static/js/modules/safariicon/safariicon_d1dec0d.js
- wap.n.sh####.com/se/static/js/modules/vsl/vslNewUtil_9b32cc9.js
- wap.n.sh####.com/se/static/js/modules/vsl/vslUtil_2dbd992.js
- wap.n.sh####.com/se/static/js/modules/zbiosCommunicate_b7e66e5.js
- wap.n.sh####.com/se/static/wiseatom/feedback/pack_1018f1d.js
- wap.n.sh####.com/se/static/wiseatom/pagenav/pack_fa78789.js
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/default_ic...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/dingdan_63...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/fankui_cc4...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/guanzhu_0e...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/hanbaobao_...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/shaixuan_0...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/shoucang_5...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/assets/img/spritelist...
- wap.n.sh####.com/se/static/wiseatom/personalcenter/pack_4bd4195.js
- wap.n.sh####.com/speed/static/tj.gif?pagetype=####&logid=####&ta_net=###...
- wap.n.sh####.com/static/search/clear.png
- wap.n.sh####.com/static/search/image_default.png
- wap.n.sh####.com/static/search/sug_logo.png
- wap.n.sh####.com/static/searchbox/openjs/share.js?v=####
- wap.n.sh####.com/static/tj.gif?time=####
- wap.n.sh####.com/sugrec?callback=####&type=####&ishome=####&prod=####&fr...
- wap.n.sh####.com/sugrec?pre=####&p=####&ie=####&json=####&prod=####&from...
- wap.n.sh####.com/tc?tcreq4log=####&ssid=####&from=####&bd_page_type=####...
- www.a.sh####.com/5b1ZeDe5KgQFm2e88IuM_a/wbcj.gif?pid=####&lid=####&ts=##...
- wx.wea####.com.####.com/error.html?r=####
HTTP POST requests:
- a####.u####.com/app_logs
- d####.opensp####.cn/index.php/clientrequest/clientcollect/isCollect
- loc.map.b####.com/sdk.php
- scs.opensp####.cn/scs?cmd=####&logver=####&size=####
File system changes:
Creates the following files:
- /data/data/####/.imprint
- /data/data/####/.jg.ic
- /data/data/####/Alvin2.xml
- /data/data/####/ContextData.xml
- /data/data/####/ItemAdapter.db
- /data/data/####/ItemAdapter.db-journal
- /data/data/####/MenuMode.xml
- /data/data/####/Q8tFVImbNuvsmBwWwdqsPE6jsRQsSPkQ.xml
- /data/data/####/WebpageIcons.db-journal
- /data/data/####/com.iflytek.id.xml
- /data/data/####/com.iflytek.msc.xml
- /data/data/####/data_0
- /data/data/####/data_1
- /data/data/####/data_2
- /data/data/####/data_3
- /data/data/####/exchangeIdentity.json
- /data/data/####/f_000001
- /data/data/####/f_000002
- /data/data/####/f_000003
- /data/data/####/f_000004
- /data/data/####/f_000005
- /data/data/####/f_000006
- /data/data/####/f_000007
- /data/data/####/f_000008
- /data/data/####/f_000009
- /data/data/####/f_00000a
- /data/data/####/f_00000b
- /data/data/####/f_00000c
- /data/data/####/f_00000d
- /data/data/####/f_00000e
- /data/data/####/f_00000f
- /data/data/####/f_000010
- /data/data/####/f_000011
- /data/data/####/f_000012
- /data/data/####/f_000013
- /data/data/####/f_000014
- /data/data/####/f_000015
- /data/data/####/f_000016
- /data/data/####/f_000017
- /data/data/####/f_000018
- /data/data/####/f_000019
- /data/data/####/f_00001a
- /data/data/####/f_00001b
- /data/data/####/f_00001c
- /data/data/####/f_00001d
- /data/data/####/f_00001e
- /data/data/####/f_00001f
- /data/data/####/f_000020
- /data/data/####/f_000021
- /data/data/####/f_000022
- /data/data/####/f_000023
- /data/data/####/f_000024
- /data/data/####/f_000025
- /data/data/####/f_000026
- /data/data/####/f_000027
- /data/data/####/hkbrowser.db-journal
- /data/data/####/ifly_launch_lib.xml
- /data/data/####/iflytek_state_batbrowser.com.xml
- /data/data/####/index
- /data/data/####/libjiagu.so
- /data/data/####/pref_key.xml
- /data/data/####/umeng_general_config.xml
- /data/data/####/umeng_it.cache
- /data/data/####/webview.db-journal
- /data/data/####/webviewCookiesChromium.db-journal
- /data/media/####/.2F6E2C5B63F0F83B
- /data/media/####/.cuid
- /data/media/####/Alvin2.xml
- /data/media/####/ContextData.xml
- /data/media/####/con.dat
- /data/media/####/iflyworkdir_test
- /data/media/####/ls.db
- /data/media/####/ls.db-journal
- /data/media/####/yoh.dat
- /data/media/####/yol.dat
- /data/media/####/yom.dat
Miscellaneous:
Executes the following shell scripts:
- chmod 755 <Package Folder>/files/libjiagu.so
Loads the following dynamic libraries:
- bspatch
- libjiagu
- locSDK4
- msc
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
Uses special library to hide executable bytecode.
Gets information about location.
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about APN settings.
Adds tasks to the system scheduler.
Displays its own windows over windows of other apps.
